b'Office of Inspector General\n\n\n\nDecember 19, 2006\n\nMEMORANDUM\n\nTO:            M/AA Chief Privacy Officer, Phil Heneghan\n\nFROM:          IG/A/ITSA Director, Melinda G. Dempsey /s/\n\nSUBJECT:       Independent Auditor\xe2\x80\x99s Report on Applying Agreed-Upon Procedures for\n               Assessing USAID\'s Implementation of Section 522 of the Consolidated\n               Appropriations Act of 2005 (Report No. A-000-07-002-O)\n\nThis memorandum transmits our final report on the subject assessment for your review\nand comment. (See Appendix for a discussion about this Agreed-Upon Procedures\nReport.) Although this is not an audit report, we are making six recommendations, which\nwill be tracked in the Consolidated Audit Tracking System. Based on the supporting\ndocumentation already provided, we consider that final action has been taken on\nRecommendation No. 3 as of the date of this memorandum.\n\nThe United States Agency for International Development\xe2\x80\x99s (USAID) Office of Inspector\nGeneral, Information Technology and Special Audits Division, engaged Urbach Kahn &\nWerlin, LLP, to conduct an independent assessment to determine USAID\xe2\x80\x99s compliance\nwith \xc2\xa7522 of the Consolidated Appropriations Act of 2005. The fieldwork was conducted\nat USAID\xe2\x80\x99s Headquarters in Washington D.C. between September 29, 2006, and\nNovember 20, 2006. The specific objective of the assessment was to answer the\nfollowing question:\n\n   Did USAID develop and implement comprehensive privacy and data protection\n   procedures as required by the Consolidated Appropriations Act of 2005, \xc2\xa7522?\n\nEnacted on December 8, 2004, Consolidated Appropriations Act of 2005 (Public Law\n108-447), Division H, Title V, \xc2\xa7522 (hereafter referred to as \xc2\xa7522), requires that each\nAgency designate a Chief Privacy Officer to assume primary responsibility for privacy\nand data protection policy. The Act also requires each agency to:\n\n   \xe2\x80\xa2   Establish and implement comprehensive privacy and data protection procedures\n       governing the agency\xe2\x80\x99s collection, use, sharing, disclosure, transfer, storage and\n       security of information in an identifiable form relating to the agency employees\n       and the public.\n\n   \xe2\x80\xa2   Prepare a written report of its use of information in an identifiable form, along with\n       its privacy and data protection policies and procedures and record it with the\n\x0c       Inspector General of the agency to serve as a benchmark for the agency. Each\n       report shall be signed by the agency privacy officer to verify that the agency\n       intends to comply with the procedures in the report.\n\n   \xe2\x80\xa2   Have an independent third-party review performed at least every two years on\n       the agency\xe2\x80\x99s use of information in an identifiable form.\n\nUrbach Kahn & Werlin, LLP, determined that, although USAID has made positive strides\nover the past year to address privacy related weaknesses, all of the key requirements of\nthe Consolidated Appropriations Act of 2005, \xc2\xa7522, were not met. Specifically, USAID\ndid not:\n\n   \xe2\x80\xa2   Finalize the Agency\xe2\x80\x99s comprehensive privacy policies and procedures.\n\n   \xe2\x80\xa2   Complete its inventory of systems that contain personally identifiable information\n       and update its system of record notices to reflect the Agency\xe2\x80\x99s current systems of\n       records.\n\n   \xe2\x80\xa2   Consistently perform and fully document its Privacy Impact Assessments.\n\n   \xe2\x80\xa2   Complete its inventory of Agency-funded websites.\n\n   \xe2\x80\xa2   Prepare a report of its use of information in an identifiable form along with its\n       privacy and data protection policies and procedures.\n\n   \xe2\x80\xa2   Implement role-based training for individuals responsible for Personally\n       Identifiable Information.\n\nThese weaknesses occurred because the privacy program was not considered a priority\nin years past. As a result of these weaknesses, USAID has not mitigated the risk of\nprivacy-related vulnerabilities and inadvertent release of information in an identifiable\nform. Therefore, we are making the following recommendations, which will be included\nin the Consolidated Audit Tracking System, and which will therefore require\nmanagement decisions by USAID.\n\n       Recommendation No. 1: We recommend that USAID\xe2\x80\x99s Chief Privacy Officer\n       complete and finalize the revised privacy policies and procedures that\n       encompass a more comprehensive approach to privacy compliance.\n\n       Recommendation No. 2: We recommend that the USAID\xe2\x80\x99s Chief Privacy Officer\n       provide training and guidance on accurately completing privacy impact\n       assessments to personnel responsible for conducting and preparing privacy\n       impact assessments.\n\n       Recommendation No. 3: We recommend that the system owner for the Office of\n       Foreign Disaster Assistance network in conjunction with the Chief Privacy\n       Officer, complete privacy impact assessments for the databases maintained on\n       the Office of Foreign Disaster Assistance network.\n\n\n\n\n                                                                                       2\n\x0cSubsequent to the issuance of the draft report, USAID completed a privacy impact\nassessment for the database on the Office of Foreign Disaster network. Based on the\nsupporting documentation provided to Urbach Kahn & Werlin, LLP, final action has been\nreached on Recommendation No. 3 upon issuance of this report.\n\n       Recommendation No. 4: We recommend that USAID\xe2\x80\x99s Chief Privacy Officer, in\n       collaboration with the Bureau for Legislative and Public Affairs/Public Information,\n       Production and Online Services, assemble a complete inventory of USAID-\n       funded websites.\n\n       Recommendation No. 5: We recommend USAID\xe2\x80\x99s Chief Privacy Officer\n       complete the report of USAID\xe2\x80\x99s use of information in an identifiable form and\n       record it with the Agency\xe2\x80\x99s Inspector General.\n\n       Recommendation No. 6: We recommend that USAID\xe2\x80\x99s Chief Privacy Officer\n       identify specific user roles requiring role-based training and develop and\n       implement an agency-wide training program regarding role-based training for\n       individuals responsible for personally identifiable information.\n\nUrbach Kahn & Werlin, LLP\xe2\x80\x99s report in its entirety is attached to this report.\n\nWe request that you provide your comments to us within 30 days of the date of this\nmemorandum. In your comments, we request that you clearly state your position on\nRecommendations Nos. 1, 2, 4, 5, and 6. If you agree with the recommendations,\nplease confirm your agreement and include a plan for corrective action with a target date\nof completion for the planned action. If you disagree, please provide a detailed\nexplanation of your reason.\n\nI appreciate the cooperation and courtesy extended to my staff and our independent\nthird-party contractor throughout the assessment.\n\n\n\n\n                                                                                         3\n\x0c                                                                               Appendix\n\n\nABOUT THIS AGREED UPON PROCEDURES REPORT\nWe have performed the procedures enumerated in the Consolidated Appropriations Act\nof 2005, \xc2\xa7522, which were agreed to by the United States Congress. The purpose of the\nprocedures was to:\n\n   \xe2\x80\xa2   Measure actual privacy and data protection practices against the Agency\xe2\x80\x99s\n       recorded privacy and data protection procedures.\n\n   \xe2\x80\xa2   Ensure compliance and consistency with both online and offline stated privacy\n       and data protection policies.\n\n   \xe2\x80\xa2   Provide the Agency with ongoing awareness and recommendations regarding\n       privacy and data protection procedures.\n\n   \xe2\x80\xa2   Ensure the Agency\xe2\x80\x99s description of the use of [privacy] information in an\n       identifiable form is accurate and accounts for the agency\xe2\x80\x99s current technology\n       and its processing of information in an identifiable form.\n\nUSAID management is responsible for developing and implementing comprehensive\nprivacy and data protection procedures.\n\nThis agreed-upon procedures engagement was conducted in accordance with\nattestation standards established by the American Institute of Certified Public\nAccountants and Government Auditing Standards, issued by the Comptroller General of\nthe United States. The sufficiency of the procedures is the sole responsibility of the\nparties specified in this report. Consequently, we make no representations regarding the\nsufficiency of the procedures in the attachment for the purpose for which this report has\nbeen requested or for any other purpose.\n\nWe were not engaged to and did not conduct an audit, the objective of which would be\nthe expression of an opinion on the adequacy of the controls. Accordingly, we do not\nexpress such an opinion. Had we performed additional procedures, other matters might\nhave come to our attention that would have been reported to you.\n\nThis report is intended for the information and use of the United States Congress and\nthe public.\n\n\n\n\n                                                                                       4\n\x0cIndependent Assessment of the United States Agency for International\n      Development\xe2\x80\x99s Compliance with \xc2\xa7522 of the Consolidated\n                    Appropriations Act of 2005\n\n\n\n\n                            Final Report\n\n                        December 11, 2006\n\x0c    Independent Assessment of the U.S. Agency for International Development\xe2\x80\x99s\n       Compliance with \xc2\xa7522 of the Consolidated Appropriations Act of 2005\n\n\n\n\n                                            TABLE OF CONTENTS\n\n\nExecutive Summary ..............................................................................................1\n\nBackground...........................................................................................................2\n\nObjective...............................................................................................................2\n\nScope....................................................................................................................3\n\nTesting Methodology\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa63\n\nFindings and Recommendations...........................................................................5\n\x0c       Independent Assessment of U.S. Agency for International Development\xe2\x80\x99s\n         Compliance with \xc2\xa7522 of the Consolidated Appropriations Act of 2005\n\n\nExecutive Summary\n\nThe United States Agency for International Development\xe2\x80\x99s (USAID or the Agency) Office\nof Inspector General (OIG), Information Technology and Special Audits Division\nengaged Urbach Kahn & Werlin LLP (UKW) to conduct an independent assessment to\ndetermine USAID\xe2\x80\x99s compliance with \xc2\xa7522 of the Consolidated Appropriations Act of\n2005. The Consolidated Appropriations Act of 2005 requires that each agency\ndesignate a Chief Privacy Officer and implement comprehensive privacy and data\nprotection procedures governing the agency\xe2\x80\x99s collection, use, sharing, disclosure,\ntransfer, storage and security of information in an identifiable form relating to the agency\nemployees and the public. (See page 2).\n\nThe assessment concluded that USAID did not meet all of the key requirements of \xc2\xa7522\nof the Consolidated Appropriations Act of 2005. The Agency has made positive strides\nover the past year to address privacy related weaknesses. However, USAID still faces\nseveral important challenges to refine its privacy program in order to mitigate the risk of\nprivacy related vulnerabilities and inadvertent release of information in an identifiable\nform. For example:\n\n   \xe2\x80\xa2    Comprehensive privacy policies and procedures were still in draft format and had\n        not yet been finalized. (See page 5).\n\n   \xe2\x80\xa2    USAID did not have a complete inventory of systems that contain personally\n        identifiable information and system of record notices had not been updated to\n        reflect the Agency\xe2\x80\x99s current systems of records. (See page 7).\n\n   \xe2\x80\xa2    Privacy Impact Assessments had not been consistently performed and are not\n        fully documented. (See page 8).\n\n   \xe2\x80\xa2    USAID did not have a complete inventory of Agency funded websites. (See page\n        9).\n\n   \xe2\x80\xa2    USAID had not prepared a report of its use of information in an identifiable form\n        along with its privacy and data protection policies and procedures. (See page\n        12).\n\n   \xe2\x80\xa2    USAID had not implemented role-based training for individuals responsible for\n        personally identifiable information. (See page 12).\n\nThese weaknesses occurred because the privacy program was not considered a priority\nin years past. However, USAID has recently begun to take corrective action by\nappointing a Chief Privacy Officer with overall authority to develop and implement the\nAgency\xe2\x80\x99s privacy program in accordance with privacy laws and regulations.\n\nThis report contains six recommendations to help USAID improve its privacy program\nand practices.\n\n\n\n\n                                             1\n\x0c       Independent Assessment of U.S. Agency for International Development\xe2\x80\x99s\n         Compliance with \xc2\xa7522 of the Consolidated Appropriations Act of 2005\n\n\nBackground\n\nThe United States Agency for International Development (USAID) is an independent\nFederal Agency responsible for conducting foreign assistance and humanitarian aid,\nadvancing the political and economic interests of the United States. USAID, based in\nWashington, DC, operates in about 100 developing countries and provides assistance to\nthese countries by supporting:\n\n   \xe2\x80\xa2    Economic growth, agriculture, and trade;\n   \xe2\x80\xa2    Global health; and\n   \xe2\x80\xa2    Democracy, conflict prevention, and humanitarian assistance.\n\nThe Consolidated Appropriations Act of 2005 (Public Law 108-447), Division H\nTransportation/Treasury, Title V, \xc2\xa7522 (hereafter referred to as \xc2\xa7522), requires that each\nAgency designate a Chief Privacy Officer to assume primary responsibility for privacy\nand data protection policy. The act also requires each agency to:\n\n   1. Establish and implement comprehensive privacy and data protection procedures\n      governing the agency\xe2\x80\x99s collection, use, sharing, disclosure, transfer, storage and\n      security of information in an identifiable form relating to the agency employees\n      and the public;\n   2. Prepare a written report of its use of information in an identifiable form, along with\n      its privacy and data protection policies and procedures and record it with the\n      Inspector General of the agency to serve as a benchmark for the agency. Each\n      report shall be signed by the agency privacy officer to verify that the agency\n      intends to comply with the procedures in the report; and\n   3. Have an independent third party review performed at least every two years on\n      the agency\xe2\x80\x99s use of information in an identifiable form.\n\nObjective\n\nUrbach Kahn & Werlin (UKW) was engaged by USAID\xe2\x80\x99s Office of Inspector General\n(OIG), Information Technology and Special Audits Division, to conduct an independent\nassessment to determine USAID\xe2\x80\x99s compliance with \xc2\xa7522 of the Consolidated\nAppropriations Act of 2005. As a result, the objective of this review was to answer the\nfollowing question:\n\n   Did USAID develop and implement comprehensive privacy and data\n   protection procedures as required by the Consolidated Appropriations Act of\n   2005, \xc2\xa7522?\n\n\n\n\n                                            2\n\x0c       Independent Assessment of U.S. Agency for International Development\xe2\x80\x99s\n         Compliance with \xc2\xa7522 of the Consolidated Appropriations Act of 2005\n\n\nScope\n\nIn assessing USAID\xe2\x80\x99s compliance with the requirements of \xc2\xa7522, we evaluated the\nfollowing areas:\n\n   \xe2\x80\xa2    Reviewed documentation and reports from USAID/OIG privacy audits and\n        assessments;\n   \xe2\x80\xa2    Assessed USAID\xe2\x80\x99s privacy policies and procedures against existing privacy laws\n        and regulations to identify gaps and inconsistencies;\n   \xe2\x80\xa2    Analyzed two of USAID\xe2\x80\x99s networks, AIDNET and Office of Foreign Disaster\n        Assistance (OFDANET), and a sample of eight USAID funded websites for\n        privacy vulnerabilities in accordance with \xc2\xa7522. These privacy vulnerabilities\n        include noncompliance with stated practices, policies and procedures, as well as\n        risks of inadvertent release of information in an identifiable form.\n\nThe fieldwork was conducted at USAID\xe2\x80\x99s Headquarters in Washington, D.C. between\nSeptember 29, 2006 and November 20, 2006.\n\nTesting Methodology\n\nTo determine if USAID implemented the requirements of the Consolidated\nAppropriations Act, \xc2\xa7522, we reviewed privacy laws and regulations including, but not\nlimited to: The Consolidated Appropriations Act of 2005; Privacy Act of 1974; Office of\nManagement and Budget (OMB) Memorandum M-03-22, \xe2\x80\x9cOMB Guidance for\nImplementing the Privacy Provisions of the E-Government Act of 2002;\xe2\x80\x9d and OMB\nMemorandum M-06-16, \xe2\x80\x9cProtection of Sensitive Agency Information.\xe2\x80\x9d\n\nWe conducted interviews with key USAID privacy personnel including the Chief Privacy\nOfficer/Chief Information Officer, Privacy Implementation Officer as well as\nrepresentatives of the Bureau of Legislative and Public Affairs (LPA) and Office of the\nChief Information Officer.\n\nWe obtained and reviewed USAID documents including, but not limited to:\n\n   \xe2\x80\xa2    USAID\xe2\x80\x99s policies related to the agency\xe2\x80\x99s privacy program which include the\n        Automated Directive System (ADS) 545 - Information Systems Security including\n        the conforming amendments made to the policy, ADS 557- Public Information,\n        ADS Chapter 508 - PRIVACY ACT \xe2\x80\x93 1974, and ADS Chapter 509 - Creating,\n        Altering, or Terminating a System of Records (Records Pertaining to Individuals)\n   \xe2\x80\xa2    Privacy Impact Assessments\n   \xe2\x80\xa2    Privacy Tips of the Day\n   \xe2\x80\xa2    System of Records Inventory\n   \xe2\x80\xa2    System of Records Notices (SORN)\n   \xe2\x80\xa2    AIDNET and OFDANET System Security Documentation\n\nWe also analyzed eight USAID funded websites to identify privacy vulnerabilities. The\nwebsites were judgmentally selected in collaboration with the OIG. For the sample of\nwebsites, we tested the following: whether the websites were using Secure Socket\nLayer (SSL) to capture and transfer Privacy Act protected user data, whether the\n\n                                           3\n\x0c       Independent Assessment of U.S. Agency for International Development\xe2\x80\x99s\n         Compliance with \xc2\xa7522 of the Consolidated Appropriations Act of 2005\n\n\nappropriate privacy policy and disclosures were posted and available for all visitors and\nusers of the websites, tested compliance with the use of tracking mechanisms, and\nensured that any personal identifiable information was protected. The websites we\nselected for review included the following:\n\n   \xe2\x80\xa2    http://www.eehicd.net\n   \xe2\x80\xa2    http://www.usaidkenya.org\n   \xe2\x80\xa2    http://www.usaidjordan.org\n   \xe2\x80\xa2    http://ane-environment.net\n   \xe2\x80\xa2    http://www.usaideasttimor.net\n   \xe2\x80\xa2    http://www.usaid.gov\n   \xe2\x80\xa2    http://africastories.usaid.gov\n   \xe2\x80\xa2    http://www.usaidafghanistan.org\n\n\n\n\n                                           4\n\x0c       Independent Assessment of U.S. Agency for International Development\xe2\x80\x99s\n         Compliance with \xc2\xa7522 of the Consolidated Appropriations Act of 2005\n\n\nFindings and Recommendations\n\nUSAID did not meet all of the key requirements of the Consolidated Appropriations Act\nof 2005, \xc2\xa7522. These weaknesses occurred because the privacy program was not\nconsidered a priority in years past. However, the Agency has made positive strides over\nthe past year to address privacy related weaknesses. For example, USAID has recently\nappointed a Chief Privacy Officer with overall authority to develop and implement the\nAgency\xe2\x80\x99s privacy program in accordance with privacy laws and regulations. In addition,\nUSAID has revised the main privacy policy document, ADS 508 \xe2\x80\x93 USAID Privacy\nProgram, which provides a comprehensive set of privacy policies and procedures.\nHowever, the new ADS 508 is currently in draft form.\n\nUSAID still faces several important challenges to refine its privacy program in order to\nmitigate the risk of privacy related vulnerabilities and inadvertent release of information\nin an identifiable form. For example:\n\n   \xe2\x80\xa2    Comprehensive privacy policies and procedures were still in draft format and had\n        not yet been finalized.\n\n   \xe2\x80\xa2    USAID did not have a complete inventory of systems that contain personally\n        identifiable information and system of record notices had not been updated to\n        reflect the Agency\xe2\x80\x99s current systems of records.\n\n   \xe2\x80\xa2    Privacy Impact Assessments had not been consistently performed and are not\n        fully documented.\n\n   \xe2\x80\xa2    USAID did not have a complete inventory of Agency funded websites.\n\n   \xe2\x80\xa2    USAID had not prepared a report of its use of information in an identifiable form\n        along with its privacy and data protection policies and procedures.\n\n   \xe2\x80\xa2    USAID had not implemented role-based training for individuals responsible for\n        Personally Identifiable Information (PII).\n\nThese findings are further discussed below.\n\n1. Comprehensive privacy policies and procedures were still in draft format and\n   had not yet been finalized.\n\n   According to \xc2\xa7522 of the Consolidated Appropriations Act of 2005, within 12 months\n   of enactment of the Act, each agency shall establish and implement comprehensive\n   privacy and data protection procedures governing the agency\xe2\x80\x99s collection, use,\n   sharing, disclosure, transfer, storage and security of information in an identifiable\n   form relating to the agency employees and the public. Such procedures shall be\n   consistent with legal and regulatory guidance, including OMB regulations, the\n   Privacy Act of 1974, and section 208 of the E-Government Act of 2002.\n\n   During our review period, USAID had the following formally established and\n   approved policies relating to the Agency\xe2\x80\x99s privacy program and practices:\n\n                                              5\n\x0c     Independent Assessment of U.S. Agency for International Development\xe2\x80\x99s\n       Compliance with \xc2\xa7522 of the Consolidated Appropriations Act of 2005\n\n\n       \xe2\x80\xa2   ADS 508 \xe2\x80\x93 Privacy Act of 1974\n       \xe2\x80\xa2   ADS 509 \xe2\x80\x93 Creating, Altering or Terminating a System of Records\n       \xe2\x80\xa2   ADS 557 \xe2\x80\x93 Public Information\n       \xe2\x80\xa2   ADS 545 \xe2\x80\x93 Information Security (including Conforming Amendments)\n\n    During the course of the review, however, USAID provided a draft revision of the\n    ADS 508. The draft version provided encompasses a more comprehensive\n    approach to privacy compliance in comparison to the ADS 508 currently in place.\n    The draft version that we reviewed replaces the old chapters and provides a clear\n    definition of personal identifiable information, formal procedures for conducting\n    privacy impact assessments, and incident response mechanisms in the event of\n    privacy violations. Further, the new ADS 508 will reference other USAID privacy\n    related policies and procedures as well as OMB privacy policy directives.\n\n    Due to the timing and scope of the current assessment, we reviewed the finalized\n    policies listed above that are currently in place. While these policies are available via\n    the Automated Directives System, they are not fully referenced to each other.\n    Further, the current version of USAID\xe2\x80\x99s policies did not provide a clear definition of\n    personally identifiable information (PII), outline formal procedures for conducting\n    privacy impact assessments, or procedures for responding to privacy violations.\n\n    USAID management is aware of the weaknesses in its privacy program. According\n    to a previous audit conducted by the USAID Office of Inspector General (OIG) 1 , the\n    privacy program was not considered a priority for the Agency in years past.\n\n    Without finalizing the draft privacy policies and procedures, users will not be aware of\n    USAID\xe2\x80\x99s policies and procedures relating to the privacy and protection of personally\n    identifiable information.\n\n    On June 8, 2006, the Office of Inspector General issued \xe2\x80\x9cAudit of USAID\xe2\x80\x99s\n    Implementation of Key Components of a Privacy Program for its Information\n    Technology Systems\xe2\x80\x9d (Report No. A-000-06-003-P). The report identified that\n    USAID had not referenced the Agency\xe2\x80\x99s privacy policies and procedures to other\n    requirements in the Automated Directives System, implemented formal procedures\n    to conduct privacy impact assessments, or implemented formal procedures for\n    responding to privacy violations. Since these issues had been addressed during the\n    OIG Privacy audit, we are not making a recommendation in these areas.\n\n    However, we are making the following recommendation:\n\n    Recommendation No. 1\n\n    We recommend that USAID\xe2\x80\x99s Chief Privacy Officer complete and finalize the revised\n    privacy policies and procedures that encompass a more comprehensive approach to\n    privacy compliance.\n\n\n\n1\n Audit of USAID\xe2\x80\x99s Implementation of Key Components of a Privacy Program for its Information\nTechnology Systems (Audit Report No. A-000-06-003-P, June 8, 2006)\n\n                                              6\n\x0c     Independent Assessment of U.S. Agency for International Development\xe2\x80\x99s\n       Compliance with \xc2\xa7522 of the Consolidated Appropriations Act of 2005\n\n\n2. USAID did not have a complete inventory of systems that contain personally\n   identifiable information and system of record notices had not been updated to\n   reflect the Agency\xe2\x80\x99s current system of records.\n\n    According to the Privacy Act of 1974, each Agency that maintains a system of\n    records must publish notification in the Federal Register upon establishment of the\n    system and revise the notice if and when a change is made. USAID could not\n    provide a complete inventory of USAID information systems that contain Personally\n    Identifiable Information (PII). According to the Chief Privacy Officer, the inventory is\n    still being constructed.\n\n    In addition, ADS 509, \xe2\x80\x9cCreating, Altering, or Terminating a System of Records\n    (Records Pertaining to Individuals),\xe2\x80\x9d outlines the policies and essential procedures\n    for the creation, alteration, or termination of a System of Records that meets the\n    requirements of the Privacy Act. As reported in an OIG audit report 2 , and as\n    corroborated by the fieldwork conducted in this review, USAID did not follow its\n    procedures (ADS 509 \xe2\x80\x9cCreating, Altering, or Terminating a System of Records) to\n    update its System of Records Notices (SORNs), when required. As such, the\n    SORNs have not been updated to reflect the Agency\xe2\x80\x99s current systems of records.\n    For example, the SORNs currently published in the Federal Register, state that\n    several of the systems of records are located in offices that USAID no longer\n    occupies in Virginia and Washington, D.C. However, the required updates to the\n    records were not made and published in the Federal Register. During our review, we\n    concluded that corrective action had not been completed on the reported finding.\n\n    According to USAID officials, the Chief Privacy Office is currently working on several\n    new Systems of Records Notices including: 1) the Partner Vetting System, 2) the\n    update to the Office of Security \xe2\x80\x9cumbrella\xe2\x80\x9d System of Records Notices, 3) the CISO\n    Security Tips of the Day, and 4) the OFDA People Trak database. In addition, the\n    Chief Privacy Office has received concurrence from the General Counsel that the\n    Chief Privacy Office should reissue the existing SORNs for significantly altered\n    System of Records.\n\n    USAID management is aware of the weaknesses in its privacy program. According\n    to a previous audit conducted by the USAID OIG, the privacy program was not\n    considered a priority for the Agency in years past.\n\n    As a result of not having a complete inventory of systems that contain PII and the\n    lack of monitoring, updating and publishing of SORNs, the Agency and the public is\n    not aware of the types of personally identifying information that USAID maintains.\n\n    On June 8, 2006, the Office of Inspector General issued an audit report 3 that\n    identified that USAID had not monitored the timely preparation and publishing of\n    System of Records Notices in the Federal Register. Additionally, the following OIG\n    report \xe2\x80\x9cAgreed Upon Procedures for Assessing USAID\xe2\x80\x99s Protection of Remote use of\n2\n  Audit of USAID\xe2\x80\x99s Implementation of Key Components of a Privacy Program for its Information\nTechnology Systems (Audit Report No. A-000-06-003-P, June 8, 2006)\n3\n  Audit of USAID\xe2\x80\x99s Implementation of Key Components of a Privacy Program for its Information\nTechnology Systems (Audit Report No. A-000-06-003-P, June 8, 2006)\n\n                                              7\n\x0c    Independent Assessment of U.S. Agency for International Development\xe2\x80\x99s\n      Compliance with \xc2\xa7522 of the Consolidated Appropriations Act of 2005\n\n\n   Personally Identifiable Information and Information Systems\xe2\x80\x9d (Memorandum Report\n   No. A-000-07-001-S, November 28, 2006) identified that USAID did not have a\n   complete inventory of systems that contain personally identifiable information.\n   Therefore, we are not making a recommendation in these areas since the issues\n   were addressed in previous OIG audits.\n\n3. Privacy impact assessments had not been consistently performed and are not\n   fully documented.\n\n   The E-Government Act of 2002 requires Agencies to complete Privacy Impact\n   Assessments (PIA) prior to (1) developing or procuring information technology\n   systems or projects that collect, maintain or disseminate information in identifiable\n   form about an individual, or (2) initiating, consistent with the Paperwork Reduction\n   Act, a new electronic collection of information in identifiable form for 10 or more\n   persons excluding agencies, instrumentalities or employees of the federal\n   government. Specifically, Agencies are required to:\n\n      \xe2\x80\xa2   Conduct PIAs.\n      \xe2\x80\xa2   Ensure the Chief Information Officer (or equivalent official) reviews the PIAs.\n      \xe2\x80\xa2   Make the PIAs publicly available through the website of the agency,\n          publication in the Federal Register, or other means.\n\n   Our review of the AIDNET and OFDANET Privacy Impact Assessments identified\n   that the PIAs have not been properly completed. USAID provided us with the PIA\n   templates for AIDNET and OFDANET; however, the information documented in the\n   PIA templates for AIDNET and OFDANET differ from the summary PIAs that are\n   posted on the USAID website. For example, the PIA templates for AIDNET and\n   OFDANET state that PII is either contained or collected. However, the PIAs posted\n   to the USAID privacy program webpage state that they do not. According to USAID\n   officials, the information posted to the USAID privacy program webpage is correct\n   because AIDNET and OFDANET do not contain or collect PII. In addition, the PIAs\n   that have been completed do not contain the date they were signed off on, the\n   signatures of appropriate personnel who are authorized to sign off on the completed\n   PIA, and there is incomplete information in the comments sections where comments\n   and guidance are used for further clarification for PIA steps.\n\n   Additionally, PIAs have not been completed for any of the databases maintained on\n   OFDANET. These databases are: People Trak, Field Support (FST), and Disaster\n   Assistance Support (DASP). We were informed by OFDANET officials that FST and\n   DASP were recently discovered to be housed on OFDANET and they would\n   complete PIAs for these databases.\n\n   USAID management is aware of the weaknesses in its privacy program. According\n   to a previous audit conducted by the USAID OIG, the privacy program was not\n   considered a priority for the Agency in years past. The Agency has recently begun\n   implementing the privacy program. In addition, personnel responsible for completing\n   PIAs had not received proper training and guidance to ensure PIAs were completed\n   accurately.\n\n\n\n                                           8\n\x0c    Independent Assessment of U.S. Agency for International Development\xe2\x80\x99s\n      Compliance with \xc2\xa7522 of the Consolidated Appropriations Act of 2005\n\n\n   Without a complete and accurate PIA, USAID will not be able to determine the risks\n   and effects of collecting, maintaining and disseminating information in identifiable\n   form in an information system.\n\n   Recommendations No. 2\n\n   We recommend that the USAID\xe2\x80\x99s Chief Privacy Officer provide training and guidance\n   on accurately completing privacy impact assessments to personnel responsible for\n   conducting and preparing privacy impact assessments.\n\n   Recommendation No.3\n\n   We also recommend that the system owner for the Office of Foreign Disaster\n   Assistance network in conjunction with the Chief Privacy Officer, complete privacy\n   impact assessments for the databases maintained on the Office of Foreign Disaster\n   Assistance network.\n\n   (Note: Subsequent to the issuance of the draft report, OFDANET officials reported\n   that they had met with Office of the Chief Information Security Officer (CISO)\n   personnel regarding the completion of privacy impact assessments for the\n   OFDANET databases. Upon review of the OFDANET databases, it was determined\n   that a privacy impact assessment would only need to be completed for the People\n   Trak database. Therefore, a privacy impact assessment, System of Record and\n   Notice (SORN), and System Classification was completed for the People Trak\n   database.    Based on the supporting documentation that was provided, this\n   recommendation will be closed upon issuance of the final report.)\n\n4. USAID did not have a complete inventory of Agency funded websites.\n\n   The ADS 557 \xe2\x80\x93 Public Information provides the policy directives for Agency\n   information distributed to the public and details how to respond to requests from the\n   public for information about USAID\'s programs and activities. According to ADS 557,\n   USAID\xe2\x80\x99s Bureau for Legislative and Public Affairs is responsible for maintaining the\n   Agency\xe2\x80\x99s inventory of public websites. However, USAID does not have a complete\n   inventory of USAID funded websites. During the course of our review, we were\n   provided two separate partial website inventories. One inventory is maintained by\n   the USAID\xe2\x80\x99s Bureau of Legislative and Public Affairs and the second is maintained\n   by the Office of the Chief Information Security Officer (CISO). However, these\n   inventories have not been consolidated into one inventory.\n\n   USAID has recently begun to compile a complete inventory of USAID funded\n   websites as well as a process to monitor the websites for privacy compliance.\n   According to a representative from the Bureau of Legislative and Public Affairs,\n   USAID would need additional staff and funding to monitor all Agency funded\n   websites.\n\n   As a result, external USAID websites are partially in compliance with \xc2\xa7522 of the\n   Consolidated Appropriations Act of 2005, and OMB Memorandum 00-13 \xe2\x80\x9cPrivacy\n   Policies and Data Collection on Federal Web Sites.\xe2\x80\x9d In the course of our review, we\n   noted the following conditions on the websites selected for review:\n\n                                          9\n\x0c     Independent Assessment of U.S. Agency for International Development\xe2\x80\x99s\n       Compliance with \xc2\xa7522 of the Consolidated Appropriations Act of 2005\n\n\n\n        \xe2\x80\xa2   Persistent Cookie \xe2\x80\x93 The site, http://africastories.usaid.gov, set a persistent\n            cookie while reviewing the site. This cookie was set to expire in 2036, which\n            is a length of time customary for such cookies. During our review of the site,\n            it was determined that the cookie requested no user specific information, but\n            was being used to associate specific page views. No private information was\n            seen to pass between web browser and the originating site. According to\n            USAID officials, there is no waiver in place to use a tracking mechanism on\n            this web site.\n\n        \xe2\x80\xa2   Web Bug 4 \xe2\x80\x93 The site associated with http://ane-environment.net appears to\n            set a cookie/bug which is associated to the Google search function on the\n            page.\n\n            According to M-03-22, OMB Guidance for Implementing the Privacy\n            Provisions of the E-Government Act of 2002, agencies are prohibited from\n            using persistent cookies or any other means (e.g., web beacons) to track\n            visitors\xe2\x80\x99 activity on the Internet except as provided in subsection (b) below;\n            agency heads may approve, or may authorize the heads of sub-agencies or\n            senior official(s) reporting directly to the agency head to approve, the use of\n            persistent tracking technology for a compelling need. When used, agency\xe2\x80\x99s\n            must post clear notice in the agency\xe2\x80\x99s privacy policy of:\n\n                \xe2\x80\xa2   the nature of the information collected;\n                \xe2\x80\xa2   the purpose and use for the information;\n                \xe2\x80\xa2   whether and to whom the information will be disclosed; and\n                \xe2\x80\xa2   the privacy safeguards applied to the information collected.\n\n        \xe2\x80\xa2   SSL     Keys      \xe2\x80\x93    The    sites,   http://www.usaidafghanistan.org    and\n            http://www.usaidkenya.org, offer Secure Socket Layer functionality to site\n            users. In both cases, the keys present were un-trusted, being self-signed and\n            related to other web sites. This state negates the security and trust\n            relationship provided to the end-user. Because the key is not associated with\n            the site of origin, the end-user cannot establish the authenticity of the key.\n            According to National Institute of Standards and Technology (NIST) Special\n            Publications 800-44, Guidelines on Securing Public Web Servers, \xe2\x80\x9cwithout\n            some process to authenticate the server, users of the public Web server will\n            not be able to determine if the server is the \xe2\x80\x9cauthentic\xe2\x80\x9d Web server or a\n            counterfeit version operated by a malicious entity.\xe2\x80\x9d\n\n        \xe2\x80\xa2   User Information \xe2\x80\x93 It was possible to find information regarding program\n            participants by following a link off the http://ane-environment.net site. This\n            information included program participants and personal contact information.\n\n\n\n4\n A Web bug is a graphic on a Web page designed to monitor who is reading the page or\nmessage. Web bugs are often invisible because they are typically only 1-by-1 pixels in size. In\nmany cases, Web bugs are placed on Web pages by third parties interested in collecting data\nabout visitors to those pages.\n\n                                               10\n\x0c Independent Assessment of U.S. Agency for International Development\xe2\x80\x99s\n   Compliance with \xc2\xa7522 of the Consolidated Appropriations Act of 2005\n\n\n   \xe2\x80\xa2   Administrative Information \xe2\x80\x93 It was possible to view potential private and\n       system administrative information by following a link off the\n       http://www.eehicd.net site to a training contractor,\n       http://egypt.usaidtraining.devis.com.\n\n   \xe2\x80\xa2   Site Warning Banner \xe2\x80\x93 Four of eight websites tested; http://www.eehicd.net,\n       http://www.usaidkenya.org, http://www.usaidjordan.org, and\n       http://www.usaideasttimor.net do not warn visitors that they are leaving the\n       site when activating an on-site link. According to Technical Regulations for\n       AID/Washington external website pages per the Xweb guidance, all links to\n       sites not residing on a .gov server must utilize the "Goodbye" script.\n\n   \xe2\x80\xa2   Privacy Notice \xe2\x80\x93 The site, http://www.usaideasttimor.net, lacked a privacy\n       notice link on the \xe2\x80\x98Contact Us\xe2\x80\x99 page. It is noted this is the only page on which\n       data can be entered.\n\n   \xe2\x80\xa2   Domain Registry \xe2\x80\x93 Of the eight websites reviewed, the following six\n       websites are listed on non-.gov domains:\n          \xe2\x80\xa2 http://www.eehicd.net;\n          \xe2\x80\xa2 http://www.usaidkenya.org;\n          \xe2\x80\xa2 http://www.usaidjordan.org;\n          \xe2\x80\xa2 http://ane-environment.net;\n          \xe2\x80\xa2 http://www.usaideasttimor.net;\n          \xe2\x80\xa2 http://www.usaidafghanistan.org.\n\n       However, the following four websites also exist on the .gov domain:\n         \xe2\x80\xa2 http://www.usaidkenya.org;\n         \xe2\x80\xa2 http://www.usaidjordan.org;\n         \xe2\x80\xa2 http://www.usaideasttimor.net;\n         \xe2\x80\xa2 http://www.usaidafghanistan.org.\n\nHowever, when trying to access the http://kenya.usaid.gov website, located on the\n.gov domain, the website does not allow a connection to be established.\n\nThe ADS 557 states the following, \xe2\x80\x9cIn accordance with the OMB Memorandum 05-\n04, \xe2\x80\x9cPolicies for Federal Agency Public Websites,\xe2\x80\x9d as of December 31, 2005, web\npages containing official U.S. Government information or which conduct transactions\nor other business related actions on behalf of the Agency must reside on .gov\ndomains.\xe2\x80\x9d\n\nThe lack of monitoring of Agency funded websites coupled with existent\nconfigurations on the web servers may result in the unintentional disclosure of\ninformation by web site users or USAID employees.\n\nOn June 8, 2006, the Office of Inspector General issued \xe2\x80\x9cAudit of USAID\xe2\x80\x99s\nImplementation of Key Components of a Privacy Program for its Information\nTechnology Systems\xe2\x80\x9d (Report No. A-000-06-003-P). The report identified that\nUSAID had not established and implemented a formal process to monitor agency\nfunded websites to ensure the privacy of website users was protected. Since this\n\n                                       11\n\x0c    Independent Assessment of U.S. Agency for International Development\xe2\x80\x99s\n      Compliance with \xc2\xa7522 of the Consolidated Appropriations Act of 2005\n\n\n   issue had been addressed during the OIG Privacy audit, we are not making a\n   recommendation in this area.\n\n   However, we are making the following recommendation:\n\n   Recommendation No.4\n\n   We recommend that USAID\xe2\x80\x99s Chief Privacy Officer, in collaboration with Bureau for\n   Legislative and Public Affairs/Public Information, Production and Online Services,\n   assemble a complete inventory of USAID funded websites.\n\n5. USAID had not prepared a report of its use of information in an identifiable\n   form along with its privacy and data protection policies and procedures.\n\n   \xc2\xa7522 of the Consolidated Appropriations Act of 2005 requires each agency to\n   prepare a written report of its use of information in an identifiable form, along with its\n   privacy and data protection policies and procedures and record it with the Inspector\n   General of the agency to serve as a benchmark for the agency. Each report is\n   required to be signed by the agency privacy officer to verify that the agency intends\n   to comply with the procedures in the report. However, USAID has not prepared a\n   report of its use of information in an identifiable form along with its privacy and data\n   protection policies and procedures because the Agency has recently appointed a\n   Chief Privacy Officer to ensure that privacy laws and regulations are adhered to.\n\n   The Agency\xe2\x80\x99s Inspector General provides oversight to ensure that USAID is in\n   compliance with Federal requirements. Without a written report, it is difficult for the\n   Inspector General to assess the status of the privacy program and ensure that\n   requirements of \xc2\xa7522 are met.\n\n   Recommendation No.5\n\n   We recommend USAID\xe2\x80\x99s Chief Privacy Officer complete the report of USAID\xe2\x80\x99s use of\n   information in an identifiable form and record it with the Agency\xe2\x80\x99s Inspector General.\n\n6. USAID had not implemented role-based training for individuals responsible for\n   personally identifiable information.\n\n   The ADS 545 Conforming Amendments requires that the Agency establish and\n   provide annual Privacy Awareness training to all staff that use PII in routine\n   performance of their duties. For individuals who have additional responsibility for PII,\n   the Agency must provide role-based training. USAID has incorporated privacy\n   related tips into their \xe2\x80\x9cTips of the Day\xe2\x80\x9d security awareness program. However, role-\n   based training has not been implemented for individuals responsible for PII. In\n   addition, specific user roles have not been identified to receive role-based training.\n   According to USAID officials, these roles will be outlined in the new ADS 508 and\n   training will coincide with the release of ADS Chapter 508 and the new release of\n   Tips of the Day.\n\n\n\n\n                                            12\n\x0c Independent Assessment of U.S. Agency for International Development\xe2\x80\x99s\n   Compliance with \xc2\xa7522 of the Consolidated Appropriations Act of 2005\n\n\nWithout proper privacy training, users may not be properly informed of the\nimportance of information they handle and the legal and business reasons for\nmaintaining its integrity and confidentiality.\n\nRecommendation No.6\n\nWe recommend that USAID\xe2\x80\x99s Chief Privacy Officer identify specific user roles\nrequiring role-based training and develop and implement an agency-wide training\nprogram regarding role based training for individuals responsible for personally\nidentifiable information.\n\n\n\n\n                                    13\n\x0c'